The "Shenzhen Special Economic Zone Data Regulations" were adopted at the second meeting of the Standing Committee of the 7th Shenzhen Municipal People's Congress on June 29, 2021, and are hereby promulgated, entering into force on January 1, 2022.

(Adopted at the Second Meeting of the Standing Committee of the 7th Shenzhen Municipal People's Congress on June 29, 2021)

Article 1: To regulate data processing activities, safeguard the legitimate rights and interests of natural persons, legal entities, and non-legal organizations, and to promote the open flow and effective utilization of data as a key production factor, this regulation is hereby formulated. It aims to accelerate the development of the digital economy, digital society, and digital government, based on the fundamental principles of relevant laws and administrative regulations, tailored to the specific conditions of the Shenzhen Special Economic Zone.

Article 2: The meanings of the following terms used in these Regulations are as follows:

(1) Data refers to any record of information stored electronically or by other means.

(II) Personal data refers to data containing information that can identify a specific natural person, excluding data that has been anonymized.

(III) Sensitive personal data refers to personal data that, if leaked, illegally disclosed, or misused, could lead to discrimination against individuals or pose a serious threat to their personal safety and property. The specific scope shall be determined in accordance with laws and administrative regulations.

(IV) Biometric data refers to personal data derived from the processing of biological characteristics—such as physical, physiological, and behavioral traits—of natural persons, enabling the unique identification of individuals. This includes data like a person’s genetic information, fingerprints, voice patterns, palm prints, ear shapes, iris scans, and facial recognition features.

(5) Public data refers to the data generated and processed by public administration and service institutions in the course of performing their public management duties or providing public services in accordance with the law.

(6) Data processing refers to activities such as data collection, storage, use, processing, transmission, provision, and sharing.

(7) Anonymization refers to the process by which personal data is processed in a way that makes it impossible to identify a specific natural person, and the data cannot be re-identified.

(8) A user profile refers to activities involving the automated processing of personal data to assess certain characteristics of natural persons, including automation aimed at evaluating work performance, financial status, health conditions, personal preferences, interests, reliability, behavioral patterns, location, and movement patterns.

(9) Public management and service organizations refer to state organs, public institutions, and other entities legally responsible for managing public affairs within the city, as well as organizations providing services such as education, health care, social welfare, water supply, electricity supply, gas supply, environmental protection, public transportation, and other essential public services.

Article 3: Natural persons enjoy personality rights over their personal data as stipulated by laws, administrative regulations, and this regulation.

The processing of personal data should serve clear and legitimate purposes, while adhering to the principles of data minimization and reasonable retention periods.

Article 4: Natural persons, legal entities, and non-legal organizations shall enjoy property rights over data products and services generated from their lawful data processing, as stipulated by laws, administrative regulations, and this regulation. However, they must not endanger national security or public interests, nor may they infringe upon the legitimate rights and interests of others.

Article 5: The handling of public data shall adhere to the principles of lawful collection, unified management, on-demand sharing, orderly openness, and comprehensive utilization, fully leveraging public data resources to optimize public administration and services, enhance the modernization of urban governance, and drive economic and social development.

Article 6: The Municipal People's Government shall establish and improve a comprehensive data governance system and standards framework, systematically promoting personal data protection, public data sharing and openness, the development of data-driven markets, and robust oversight and management of data security.

Article 7: The Municipal People's Government establishes the Municipal Data Work Committee, which is responsible for studying and coordinating major issues related to data management within the city. The day-to-day operations of the Municipal Data Work Committee are handled by the Municipal Public Service Data Management Department.

The Municipal Data Work Committee may establish several specialized committees.

Article 8: The municipal cyberspace administration department is responsible for overall coordination and supervision of personal data protection, network data security, cross-border data flows, and other related activities within the city.

The municipal government's administrative department of public service data is responsible for the overall coordination, guidance, and supervision of public data management within the city.

The Municipal Development and Reform, Industry and Information Technology, Public Security, Finance, Human Resources and Social Security, Planning and Natural Resources, Market Regulation, Audit, National Security, and other departments perform data supervision and management functions within their respective areas of responsibility, in accordance with relevant laws and regulations.

The city's industry-specific authorities are responsible for the overall coordination, guidance, and supervision of data management within their respective sectors.

Section 1: General Provisions

Article 9: The processing of personal data shall fully respect and safeguard all legitimate rights and interests of individuals related to their personal data.

Article 10: The processing of personal data shall comply with the following requirements:

(1) The purposes for processing personal data are clear and reasonable, and the methods used are lawful and legitimate;

(II) Processing shall be limited to the minimum scope necessary to achieve the intended purpose and conducted in a manner that minimizes impact on individuals' rights; unauthorized processing of personal data unrelated to the stated purpose is prohibited.

(III) Inform individuals, in accordance with the law, about the types, scope, purposes, and methods of personal data processing, and obtain their consent as required by law;

(4) Ensure the accuracy and necessary completeness of personal data, preventing any harm to the individuals concerned caused by inaccurate or incomplete personal information;

(5) Ensure the security of personal data, preventing unauthorized disclosure, destruction, loss, alteration, and illegal use of personal information.

Article 11: The "minimum scope necessary to achieve the processing purpose and the least intrusive approach to individuals' rights," as referred to in Paragraph 2 of Article 10 of these Regulations, includes, but is not limited to, the following scenarios:

(1) The types and scope of personal data processed must be directly relevant to the purpose of processing; without handling these specific personal data, the intended purpose cannot be achieved.

(II) The amount of personal data processed should be the minimum necessary to achieve the intended purpose;

(III) The frequency of processing personal data should be the minimum necessary to achieve the intended purpose;

(IV) The retention period for personal data should be the shortest time necessary to achieve the purpose of processing. Once this period has expired, personal data must either be deleted or anonymized, unless otherwise specified by laws and regulations or with the explicit consent of the individual concerned.

(5) Establish a least-privilege access control policy, ensuring that personnel authorized to access personal data can only view the minimum amount of personal data necessary to fulfill their duties—and possess only the minimal data-processing permissions required for those responsibilities.

Article 12: Data processors shall not refuse to provide relevant core functions or services to a natural person simply because the individual does not consent to the processing of their personal data—unless such personal data is strictly necessary for delivering the relevant core functions or services.

Article 13: The municipal cyberspace administration shall collaborate with departments such as municipal industry and information technology, public security, and market regulation, as well as relevant industry authorities, to establish and improve a joint working mechanism for the supervision and management of personal data protection. This mechanism will strengthen overall coordination and guidance on personal data protection efforts and related supervisory activities. Additionally, a complaint and reporting handling system for personal data protection will be established to address relevant grievances and reports in accordance with the law.

Section 2: Notification and Consent

Article 14: When processing personal data, individuals must be fully, truthfully, and accurately informed—before the processing begins—in a clear, understandable, specific, and easily accessible manner about the following matters:

(1) The name or designation and contact information of the data processor;

(II) Types and scope of personal data processed;

(III) The purposes and methods for processing personal data;

(IV) The duration for which personal data is stored;

(5) Identifying potential security risks associated with the processing of personal data, as well as the security measures implemented to protect such personal data;

(6) The relevant rights that natural persons enjoy under the law, as well as the methods for exercising those rights;

(7) Other matters that must be disclosed as required by laws and regulations.

Those handling sensitive personal data must, in accordance with the preceding paragraph, clearly indicate—or prominently highlight—the necessity of processing such data, as well as the potential impact on individuals.

Article 15: In emergency situations, if it is impossible to provide prior notification as stipulated in Article 14 of these Regulations due to the need to protect the significant legitimate rights and interests of natural persons—such as their personal safety or property—notice must be given promptly once the emergency has been resolved.

Where the processing of personal data is subject to legal or administrative regulations requiring confidentiality or exempting from the obligation to provide notice, the provisions of Article 14 of this regulation shall not apply.

Article 16: Data processors shall obtain the consent of individuals before processing their personal data and may only process such data within the scope of that consent, unless otherwise provided by law, administrative regulations, or this regulation.

If the matters requiring consent as stipulated in the preceding paragraph undergo any changes, re-consent must be obtained.

Article 17: Data processors shall not obtain consent from individuals through misleading, deceptive, coercive, or other methods that violate the individual's genuine will.

Article 18: When handling sensitive personal data, explicit consent from the individual must be obtained prior to processing.

Article 19: When processing biometric data, organizations must provide alternative options for handling other non-biometric personal data, provided that the individual has given explicit consent. However, this requirement does not apply if processing biometric data is strictly necessary for the purpose of handling personal data and cannot be replaced by other types of personal data.

Biometric data processed for a specific purpose may not be used for any other purpose without the explicit consent of the individual.

Specific management measures for biometric data will be formulated separately by the Municipal People's Government.

Article 20: When handling personal data of minors under the age of 14, the relevant provisions governing the processing of sensitive personal data shall apply, and explicit consent from their legal guardians must be obtained prior to processing.

When processing personal data of adults who are either incapable or partially capable of civil acts, explicit consent from their guardians must be obtained prior to handling the data.

Article 21: Personal data may be processed without obtaining the individual's consent in any of the following circumstances:

(1) Processing personal data that individuals have independently disclosed or that has already been lawfully made public, provided such processing aligns with the purpose for which the data was originally disclosed.

(II) Necessary for concluding or fulfilling a contract in which a natural person is one of the parties;

(III) Data processors may, within reasonable limits, handle the personal data of their employees when necessary for human resource management and the protection of trade secrets.

(IV) Necessary for public management and service institutions to fulfill their public management duties or provide public services in accordance with the law;

(5) Necessary for news organizations to conduct news reporting in accordance with the law;

(6) Other circumstances prescribed by laws and administrative regulations.

Article 22: Natural persons have the right to withdraw their consent, in whole or in part, for the processing of their personal data.

If a natural person withdraws their consent, the data processor may not continue processing the personal data of that individual within the scope of the withdrawn consent. However, this does not affect the data processor’s lawful handling of data based on prior consent before the withdrawal was made. Where otherwise provided by laws or regulations, those provisions shall prevail.

Article 23: When processing personal data, organizations shall provide individuals with easily accessible means to withdraw their consent. It is prohibited to impose unreasonable restrictions or additional, unjustified conditions on individuals seeking to withdraw their consent, whether through service agreements or technical measures.

Section 3: Personal Data Processing

Article 24: If personal data is inaccurate or incomplete, the data processor shall promptly supplement or correct it upon the request of the individual.

Article 25: Data processors shall promptly delete personal data if any of the following circumstances apply:

(1) The storage period prescribed by laws, regulations, or agreed upon has expired;

(II) The purpose for processing personal data has been achieved, or the personal data is no longer necessary for achieving the original purpose;

(III) A natural person withdraws consent and requests the deletion of personal data;

(4) When a data processor violates laws, regulations, or the agreed-upon terms for data handling, natural persons may request deletion of the data.

(5) Other circumstances prescribed by laws and regulations.

In cases falling under the first or second scenario outlined above, data processors may retain the relevant personal data, provided that otherwise stipulated by laws and regulations or with the individual’s consent.

If a data processor deletes personal data in accordance with paragraph 1 of this article, it may retain evidence of notification and consent—but only to the extent necessary for fulfilling its legal obligations or resolving any disputes.

Article 26: When data processors provide personal data they have processed to third parties, they must first de-identify the data, ensuring that the provided personal data cannot be used to re-identify a specific natural person without relying on additional information. If laws, regulations stipulate otherwise, or if the natural person and the data processor have agreed to anonymization, the data processor shall carry out anonymization in accordance with legal requirements, regulatory provisions, or their mutual agreement.

Article 27: Data processors may choose not to de-identify personal data they provide to third parties if any of the following circumstances apply:

(1) When required in writing by public administration and service agencies to fulfill their public management duties or provide public services as mandated by law;

(II) Providing relevant personal data to others based on the consent of the individual;

(III) Necessary for concluding or fulfilling a contract in which a natural person is one of the parties;

(4) Other circumstances prescribed by laws and administrative regulations.

Article 28: Natural persons may request data processors to access and copy their personal data. The data processor shall provide such access and copies promptly in accordance with relevant regulations, and no fees may be charged for this service.

Article 29: When data processors create user profiles of natural persons for the purpose of enhancing product or service quality, they shall clearly inform individuals about the specific purposes and key principles underlying these user profiles.

Natural persons may refuse for data processors to create user profiles or recommend personalized products or services based on such profiles, as stipulated in the preceding paragraph. Data processors must provide them with an easily accessible and effective method to exercise this right of refusal.

Article 30: Data processors shall not use user profiles to recommend personalized products or services to minors under the age of 14. However, this restriction does not apply when such actions are necessary to protect the minors' legitimate rights and interests, provided that explicit consent has been obtained from their guardians.

Article 31: Data processors shall establish mechanisms for individuals to exercise their relevant rights, as well as for handling complaints and reports, and shall provide effective and easily accessible channels for doing so.

When a data processor receives a request to exercise rights or a complaint/report, it must promptly acknowledge and take appropriate measures in accordance with the law. If the request or complaint is denied, the processor must provide a clear explanation for the decision.

Section 1: General Provisions

Article 32: The Municipal Data Committee shall establish a Public Data Specialist Committee, which will be responsible for studying and coordinating on key issues related to public data management.

The Municipal Public Service Data Management Department oversees the daily operations of the Municipal Public Data Expert Committee and is responsible for coordinating public data management across the city. It establishes and enhances the public data resource management system, while also driving initiatives to promote the sharing, opening, and effective utilization of public data.

Under the guidance of the Municipal Public Service Data Management Department, the district-level public service data management department is responsible for coordinating public data management efforts within the district.

Article 33: The Municipal People's Government shall establish a City Big Data Center, develop and refine its construction, operation, and management mechanisms, and ensure unified, centralized, secure, and efficient management of the city's public data resources.

The people's governments of each district may, in accordance with the city-wide unified plan, establish sub-centers of the city's big data center and integrate public data resources into the centralized management of the city's big data center.

The city's big data center includes public data resources and the software and hardware infrastructure that supports their management.

Article 34: The municipal public service data management department is responsible for facilitating the aggregation of public data into the City Big Data Center, and for organizing public administration and service institutions to leverage the City Big Data Center in promoting public data sharing, opening, and utilization.

Article 35: Implement a classified management system for public data.

The municipal government's administrative department for public service data is responsible for overseeing the overall planning, construction, and management of the city's public data resource system. It also collaborates with relevant departments to build and maintain foundational databases covering population, legal entities, real estate, natural resources and spatial geography, electronic credentials, and public credit systems.

Relevant industry authorities should, in accordance with the overall plan and relevant institutional guidelines of the public data resource system, formulate plans for their respective industry's public data resource systems, as well as build and manage related thematic databases.

Public management and service organizations should build and manage their own business databases in accordance with the overall plan of the public data resource system, industry-specific plans, and relevant institutional guidelines.

Article 36: Implement a public data catalog management system.

The municipal government's administrative department for data management is responsible for establishing a unified public data resource catalog system across the city, developing standardized guidelines for compiling public data catalogs, and organizing public management and service agencies to prepare their catalogs in accordance with these guidelines. This includes processing various types of public data, as well as clearly defining the departments responsible for data sources and outlining their respective management responsibilities.

Public management and service organizations should conduct catalog management of their public data in accordance with the requirements of the public data resource cataloging standards.

Article 37: Public management and service organizations collecting data shall comply with the following requirements:

(1) Necessary for the lawful performance of public management duties or the provision of public services, and limited to the scope of such duties or services being performed or provided;

(II) The types and scope of data collected must be aligned with the public management responsibilities legally mandated or the public services provided.

(III) The collection process complies with relevant laws and regulations.

Data obtained by public administration and service agencies through shared access must not be collected separately from individuals, legal entities, or non-legal organizations.

Article 38: Public management and service organizations shall retain records of the public data processing procedures in accordance with relevant regulations.

Article 39: The municipal public service data management department shall organize the development of public data quality management systems and standards, establish a robust quality monitoring and evaluation framework, and oversee its implementation.

Public management and service organizations should establish and refine their own data quality management systems in accordance with public data quality management policies and standards, strengthen data quality control, and ensure that data are accurate, reliable, complete, timely, and readily available.

The Municipal Public Data Specialist Committee should regularly evaluate the data management practices of public administration and service agencies, and report the evaluation results to the Municipal Data Committee.

Article 40: The Municipal People's Government shall strengthen institutional mechanisms and technological innovation in the areas of public data sharing, openness, and utilization, continuously enhancing the quality and efficiency of these efforts.

Section 2: Public Data Sharing

Article 41: Public data should, in principle, be shared, with non-sharing being the exception.

The municipal government's administrative department for public service data should establish a mechanism for aligning public data-sharing needs based on the public data resource catalog system, along with relevant management regulations.

Article 42: Public data included in the public data sharing catalog shall, in accordance with relevant regulations, be promptly and accurately shared among public management and service agencies that require it via the public data sharing platform of the City Big Data Center—unless otherwise specified by laws or regulations.

The public data sharing catalog will be formulated separately by the municipal government service data management department and adjusted promptly as needed.

Article 43: Public management and service organizations may submit requests for public data sharing based on the need to fulfill their public management responsibilities or deliver public services in accordance with the law. These requests must clearly specify the legal basis, purpose, scope, and methods of data usage, as well as any related requirements. Furthermore, organizations are required to strengthen the management of shared data in line with guidelines issued by the local government service data management authority and the data-providing departments—and must ensure that the data is not used beyond its intended scope or diverted for other purposes.

The public data-providing department shall respond to the data-sharing requests from public data-using departments within the specified timeframe, and provide necessary guidance on data usage as well as technical support.

Article 44: Data required by public administration and service institutions to fulfill their public management duties or deliver public services as mandated by law, but which cannot be obtained through the Public Data Sharing Platform, may be centrally procured externally by the Municipal People’s Government. Such data will then be incorporated into the Public Data Sharing Catalog in accordance with relevant regulations, with the specific implementation coordinated by the Municipal Administration of Government Services Data Management Department.

Section 3: Public Data Openness

Article 45: For the purposes of these Regulations, "public data opening" refers to the activity whereby public management and service institutions provide machine-readable public data to the public through a public data open platform.

Article 46: Public data disclosure shall adhere to the principles of classification and tiered management, demand-driven approaches, and security control, while maximizing openness within the scope permitted by laws and regulations.

Article 47: Public data made available in accordance with laws and regulations shall be provided free of charge. If otherwise specified by laws or administrative regulations, those provisions shall prevail.

Article 48: Public data is categorized into three types based on open access conditions: unconditionally open, conditionally open, and not for release.

Unconditionally open public data refers to public data that should be freely accessible to individuals, legal entities, and non-legal organizations without any restrictions. Conditionally open public data, on the other hand, is made available to these same groups under specific conditions, ensuring equal access for all. Finally, public data that is not open includes information related to national security, trade secrets, personal privacy, or cases explicitly prohibited by laws, regulations, or other governing rules.

Article 49: The municipal public service data management department shall establish a public data openness management system based on a public data resource catalog framework, compile a public data openness directory, and update it promptly as needed.

Public data that is conditionally open should clearly specify the methods of access, usage requirements, and security safeguards when compiling the public data open catalog.

Article 50: The municipal administrative department responsible for government service data shall leverage the city's big data center to build a unified and efficient public data open platform, and organize public management and service agencies to make public data available to society through this platform.

The public data open platform should provide a variety of data openness services—such as data downloads, application programming interfaces, and a secure, trustworthy environment for comprehensive data utilization—based on the type of public data being made available.

Section 4: Utilization of Public Data

Article 51: The Municipal People's Government shall accelerate the development of a digital government, deepening the application of data in economic regulation, market oversight, social governance, public services, and ecological environmental protection. It will establish and refine institutional frameworks for data-driven management, fostering innovative approaches to government decision-making, regulatory practices, and service delivery—ultimately enabling proactive, precise, integrated, and intelligent public administration and service provision.

Article 52: The Municipal People's Government shall leverage the City Big Data Center to build business, data, and capability hubs based on a unified architecture, thereby establishing a cohesive urban intelligent hub platform system. This system will deliver unified, comprehensive digital services for public management, public services, and application scenarios across various regions and industries, fostering seamless integration of technology, operations, and data.

The Municipal People's Government can leverage the city's intelligent central platform to establish a government management and service command center, creating and refining operational management mechanisms. This initiative will drive the government’s overall digital transformation, fostering deeper data sharing and business collaboration across multiple levels, regions, systems, departments, and functions. Ultimately, it will help build a unified, integrated, intelligent, precise, and highly efficient government operating system.

Relevant industry authorities should leverage the city's intelligent central platform to build industry-specific management service platforms, driving the comprehensive digital transformation of management and services within their respective sectors.

The people's governments of each district should leverage the city's intelligent central platform, focusing on serving the grassroots level by integrating data resources, optimizing business processes, and innovating management models, thereby advancing the scientific, refined, and intelligent transformation of grassroots governance and services.

Article 53: The Municipal People's Government shall leverage the city's intelligent central platform to promote business integration and process reengineering, further advancing innovation in an integrated government service model characterized by unified front-end reception, collaborative back-end approvals, and city-wide seamless operations.

The municipal government service and data management department should encourage public administration and service agencies to enhance the innovative use of public data in public management and service processes, streamlining application materials and procedures while optimizing overall workflows. For matters where approval decisions can be made through data comparison, fully automated, intelligent approval processes—requiring no human intervention—can be implemented.

Article 54: The Municipal People's Government shall leverage the city's intelligent central platform to strengthen the collection and sharing of regulatory and credit data, fully utilizing public data and regulatory systems across various sectors. It will promote new regulatory approaches such as off-site supervision, credit-based regulation, and risk early warning, thereby enhancing the overall effectiveness of oversight.

Article 55: The municipal government's data management department may establish a data integration and application service platform, providing the public with a secure, trustworthy environment for comprehensive data utilization and development, and jointly fostering innovation in smart city applications.

Section 1: General Provisions

Article 56: The Municipal People's Government shall undertake comprehensive planning to accelerate the development of the data-driven market, fostering the establishment of a robust market system encompassing data collection, processing, sharing, openness, trading, and application—thereby promoting the orderly and efficient flow and utilization of data resources.

Article 57: Market entities engaging in data processing activities shall fulfill their primary responsibilities for data management, establish and improve a robust data governance organizational structure, management systems, and self-assessment mechanisms. They must implement classified and tiered protection and management of data, strengthen data quality control, and ensure the data’s authenticity, accuracy, completeness, and timeliness.

Article 58: Market entities may independently use, derive revenue from, and dispose of data products and services legitimately created through lawful data processing—all in accordance with the law.

Article 59: When market entities open up or provide access to personal data for use by third parties, they shall comply with the relevant provisions outlined in Chapter 2 of these Regulations. In cases where personal data is shared with specific third parties, entrusted to third-party processors, or made available for their use, a corresponding agreement must be signed.

Article 60: When using, transmitting, or entrusting the processing of data products and services from other market entities—particularly those involving personal data—compliance with the provisions of Chapter 2 of this regulation, as well as the terms outlined in the relevant agreements, is required.

Section 2: Market Development

Article 61: The Municipal People's Government shall organize the development of local standards, including compliance standards for data processing activities, standards for data products and services, data quality standards, data security standards, data value assessment standards, and data governance evaluation standards.

Support industry organizations in data-related sectors to develop group standards and industry guidelines, provide services such as information, technology, and training, and guide and encourage market players to regulate their data practices, thereby fostering the healthy development of the industry.

Encourage market entities to develop data-related corporate standards and participate in the formulation of relevant local and industry-specific group standards.

Article 62: Data processors may entrust third-party organizations to conduct data quality assessment and certification; such third-party organizations shall carry out data quality assessment and certification activities in accordance with the principles of independence, transparency, and impartiality.

Article 63: Data value assessment institutions are encouraged to explore and develop a data asset pricing index system, focusing on aspects such as real-time performance, time span, sample coverage, data integrity, data type classification, and data mining potential, thereby promoting the establishment of standardized guidelines for data value evaluation.

Article 64: The city's statistical department should explore establishing a statistical accounting system for data as a production factor, clearly defining the scope, statistical indicators, and methodologies to accurately reflect the asset value of data as a production factor, thereby promoting the inclusion of data as a production factor into the national economic accounting system.

Article 65: The Municipal People's Government shall promote the establishment of a data trading platform and guide market entities to conduct data transactions through this platform.

Market entities can conduct data transactions either through legally established data trading platforms or directly between the parties involved, in accordance with the law.

Article 66: The data trading platform shall establish a secure, trustworthy, controllable, and traceable data trading environment. It must also formulate rules governing data transactions, information disclosure, self-regulatory oversight, and other related areas, while implementing effective measures to safeguard personal data, trade secrets, and critical data as defined by national regulations.

Article 67: Data products and services generated by market entities through the lawful processing of data may be traded in accordance with the law. However, this does not apply in any of the following circumstances:

(1) The data products and services traded involve personal data without lawful authorization;

(II) The data products and services traded include public data that has not been legally opened for access;

(III) Other circumstances where trading is prohibited by laws and regulations.

Section 3: Fair Competition

Article 68: Market entities shall abide by the principle of fair competition and must not engage in any actions that infringe upon the legitimate rights and interests of other market entities.

(1) Obtaining data from other market entities through illegal means;

(II) Using illegally collected data from other market entities to provide alternative products or services;

(III) Other activities prohibited by laws and regulations.

Article 69: Market entities shall not use data analysis to impose differentiated treatment on counterparties engaged in transactions under identical terms and conditions, except in any of the following circumstances:

(1) Implementing different transaction terms based on the actual needs of the counterparty, while adhering to legitimate trading practices and industry norms;

(II) Offering promotional activities to new users within a reasonable timeframe;

(III) Conducting random transactions based on fair, reasonable, and non-discriminatory rules;

(IV) Other circumstances stipulated by laws and regulations.

The "identical transaction conditions" mentioned in the preceding paragraph mean that there are no substantial differences among the counterparties in terms of transaction security, transaction costs, creditworthiness, transaction stages, or the duration of the deal.

Article 70: Market entities shall not exclude or restrict competition by entering into monopoly agreements, abusing their dominant position in the data-driven market, or illegally implementing concentrations of business operators.

Section 1: General Provisions

Article 71: Data security management shall adhere to the principles of government oversight, accountability of responsible entities, proactive defense, and comprehensive prevention. It emphasizes balancing security with development, encourages research and development of data security technologies, and ensures the safety of data throughout its entire lifecycle.

The Municipal People's Government should coordinate city-wide data security management and establish a comprehensive, well-rounded data security governance system.

Article 72: Data processors shall, in accordance with laws and regulations, establish and improve robust security management systems covering data classification and grading, risk monitoring, security assessments, and security training, implement corresponding safeguards, continuously enhance technical measures, and ensure data security.

If a data processor undergoes changes such as merger, division, or acquisition, the data security management responsibilities will continue to be fulfilled by the entity that results from the change.

Article 73: When handling sensitive personal data or critical data as defined by the state, organizations must establish data security management bodies in accordance with relevant regulations, designate specific individuals responsible for data security, and implement enhanced technical safeguards.

Article 74: The municipal cyberspace administration shall coordinate with relevant regulatory and industry authorities to formulate specific catalogs of critical data for their respective departments and industries, in accordance with the national data classification and grading protection system. Data listed in these catalogs will receive prioritized protection.

Section 2: Data Security Management

Article 75: Data processors shall maintain records of their entire data processing workflow, ensuring the legality of data sources and guaranteeing that the entire process is clear and fully traceable.

Article 76: Data processors shall, in accordance with the requirements of laws, regulations, and national standards, de-identify or anonymize the personal data they collect and store it separately from any data that could be used to re-identify specific individuals.

Data processors shall develop and implement security measures such as de-identification or anonymization specifically for sensitive personal data and critical data as stipulated by national regulations.

Article 77: Data processors shall implement domain-based and tiered management of data storage, selecting storage media that match the required security performance, protection levels, and security classifications. For sensitive personal data and critical data specified by national regulations, additional measures such as encrypted storage, authorized access, or other more stringent security safeguards must also be adopted.

Article 78: Data processors shall implement security technical safeguards throughout the data processing workflow and establish a disaster recovery and backup system for critical systems and core data.

Article 79: When data processors share or open data, they shall establish robust data-sharing and openness security management systems, as well as develop and refine secure management mechanisms for external data interfaces.

Article 80: Data processors shall establish data destruction procedures and ensure the effective disposal of data that requires deletion.

If a data processor ceases operations or dissolves without a successor entity to take over the data, it must promptly and effectively destroy the data under its control—unless otherwise specified by laws or regulations.

Article 81: When a data processor entrusts another party to handle data on its behalf, it shall enter into a data security protection contract with the other party, clearly defining the security responsibilities of both sides.

After completing the processing task, the trustee shall promptly and effectively destroy the data it has stored, unless otherwise specified by laws or regulations, or agreed upon by both parties.

Article 82: When data processors transfer personal data or important data as defined by the state to entities outside China, they must, in accordance with relevant regulations, apply for a security assessment of data export and undergo a national security review.

Article 83: Data processors shall implement monitoring and alerting measures that align with the level of data security protection, continuously tracking and promptly issuing alerts in response to abnormal situations such as data leakage, corruption, loss, or tampering.

When a data security incident—such as a data breach, damage, loss, or tampering—is detected or suspected to have occurred or may occur, the data processor must immediately implement corrective and preventive measures.

Article 84: When handling sensitive personal data or critical data as defined by the state, organizations shall conduct regular risk assessments in accordance with relevant regulations and submit the risk assessment reports to the competent authorities.

Article 85: Data processors shall establish a data security emergency response mechanism and develop a data security contingency plan. The contingency plan must classify data security incidents based on factors such as the severity of the harm and the scope of impact, and specify corresponding emergency response measures for each level.

Article 86: In the event of data security incidents such as data breaches, damage, loss, or tampering, the data processor shall immediately activate the emergency response plan, implement appropriate remedial measures, promptly notify the relevant rights holders, and report the incident to the municipal Cyberspace Administration, public security authorities, and relevant industry regulators in accordance with applicable regulations.

Section 3: Data Security Oversight

Article 87: The municipal cyberspace administration department shall, in accordance with relevant laws, administrative regulations, and the provisions of these Regulations, be responsible for coordinating data security efforts and related supervisory functions. It will also collaborate with municipal public security agencies, national security departments, and relevant industry authorities to establish and improve a robust data security oversight mechanism, as well as organize regular data security inspections and checks.

Article 88: The municipal cyberspace administration shall collaborate with relevant authorities to strengthen data security risk analysis, prediction, and assessment, as well as to gather pertinent information. If any situation is detected that could lead to widespread data breaches, damage, loss, or unauthorized alteration—potentially posing significant risks—the authorities shall promptly issue warning alerts, recommend preventive and response measures, and provide guidance and oversight to data processors in ensuring robust data security protections.

Article 89: The municipal cyberspace administration department, along with other departments responsible for overseeing data security, may entrust third-party organizations to conduct data security management certification and data security assessments of data processors, in accordance with laws, regulations, and relevant standard requirements, and to assign these processors a corresponding security level rating.

Article 90: The municipal cyberspace administration and other departments responsible for overseeing data security shall, in the course of performing their duties, summon data processors who fail to fulfill their data security management responsibilities as required, and urge them to make necessary rectifications.

Article 91: The municipal cyberspace administration department, along with other data supervision and management authorities and their staff, shall strictly maintain the confidentiality of personal data, trade secrets, and any other information requiring protection that they become aware of while performing their duties. They must not disclose, sell, or illegally provide such information to third parties.

Article 92: Any violation of the provisions of this regulation regarding the processing of personal data shall be subject to penalties as stipulated by relevant laws and regulations on personal information protection.

Article 93: Public management and service institutions that violate the provisions of this regulation shall be ordered to make corrections by their superior or relevant authorities. If they refuse to comply or if their failure results in serious consequences, legal liability will be pursued accordingly. Furthermore, if such violations cause losses to natural persons, legal entities, or non-legal organizations, the institutions shall bear compensation liability as required by law.

Article 94: Any entity that violates the provisions of Article 67 of these Regulations regarding transaction data shall be ordered by the municipal market supervision and administration department or the relevant industry authorities—in accordance with their respective responsibilities—to make corrections and have any illegally obtained gains confiscated. For transactions involving amounts below RMB 10,000, a fine of between RMB 50,000 and RMB 200,000 will be imposed; for transactions exceeding RMB 10,000, the penalty will range from RMB 200,000 to RMB 1 million. Additionally, the entity may face other administrative penalties as prescribed by laws and administrative regulations. If there are specific provisions in laws or administrative regulations, those shall prevail.

Article 95: Any violation of Articles 68 and 69 of these Regulations that infringes upon the legitimate rights and interests of other market entities or consumers shall be subject to an order for rectification issued by the municipal market supervision and administration department or the relevant industry authorities according to their respective responsibilities, along with confiscation of illegal gains. If the entity refuses to comply, it will face a fine ranging from RMB 50,000 to RMB 500,000. In cases of serious violations, a penalty equivalent to up to 5% of the entity’s previous year’s turnover—capped at RMB 50 million—may also be imposed. Additionally, the entity may be subject to other administrative penalties prescribed by law or administrative regulations. Where specific provisions already exist in laws or administrative regulations, those provisions shall prevail.

Market entities that violate Article 70 of these Regulations by engaging in unfair competition or monopolistic practices shall be penalized in accordance with relevant laws and regulations on anti-unfair competition or antitrust.

Article 96: If a data processor violates the provisions of this regulation and fails to fulfill its data security protection obligations, it shall be penalized in accordance with relevant laws and regulations on data security.

Article 97: If the departments responsible for data supervision and management, as well as public administration and service institutions, fail to fulfill or improperly fulfill their duties as stipulated in these Regulations, the directly responsible principal officers and other directly liable personnel shall be disciplined in accordance with the law; if their actions constitute a crime, criminal liability shall be pursued according to law.

Article 98: If data is processed in violation of the provisions of this regulation, resulting in harm to national or public interests, organizations specified by laws and regulations may file civil public interest lawsuits in accordance with the law. When such organizations initiate civil public interest lawsuits, the People's Procuratorate may provide support for the prosecution if it deems it necessary.

If organizations mandated by laws and regulations fail to file a civil public interest lawsuit, the People's Procuratorate may initiate such a lawsuit in accordance with the law.

If the People's Procuratorate discovers that a department responsible for data supervision and management has illegally exercised its authority or failed to act, resulting in harm to national or public interests, it shall issue a prosecutorial recommendation to the relevant administrative agency. If the administrative agency fails to fulfill its duties as required by law, the People's Procuratorate may file an administrative public interest lawsuit in accordance with the law.

Article 99: If a data processor violates the provisions of these Regulations by handling data in a manner that causes harm to others, it shall bear civil liability in accordance with the law. If the violation constitutes an act disrupting public order, administrative penalties for public security management shall be imposed according to law. And if the offense amounts to a crime, criminal responsibility shall be pursued in accordance with the law.

Article 100: This regulation shall come into effect on January 1, 2022.

Source: Cyberspace Administration of China